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© System and method for the transmission and validation of an updated encryption key between two 
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© In a communications system, a method is de- 
scribed allowing two users having established a 
communication session identified by a unique ses- 
sion freshness proof, to transmit and validate a new 
value of a variable by using an exchange certificate 
which combines the following elements : the new 
value of the variable, a common secret key known 
by both users, an exchange counter representative 
of the number of values of said variable transmitted 
between the two users during the current commu- 
nication session and a session freshness proof. Pro- 
tection against potential eavesdroppers and intruders 
is provided by combining cryptographically the ele- 
ments of the exchange certificate. Further protection 



is obtained by interrupting the current communica- 
tion session and opening a new one characterized 
by a new unique session freshness proof when the 
exchange counter reaches its maximum value; thus 
avoiding the risk that the same value of the session 
freshness keeps being used when the exchange 
counter is reset to its initial value. Consequently a 
given pair of values of the session freshness proof 
and of the exchange counter will never be used 
more than one time, making eavesdropping and, 
replaying attacks from intruders more difficult. Pref- 
erably, the method used for opening a new commu- 
nication session uses already known authentication 
methods based on the common secret key. 
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Technical field 

The present invention generally relates to 
methods to maintain security in computer networks. 
In particular, it relates to methods for validating 
information exchanged between authorized users or 
other authorized network entities. 

Background Art 

Computer network security techniques include a 
wide range of methods such as access control 
mechanisms, user authentication methods, cryp- 
tographic systems and traffic integrity protection. 
Appropriate selection and combination of such 
methods allows to build very secure networks at 
the expense of overall system complexity, cost 
increase and performance degradation. This is par- 
ticularly the case in the arena of encryption keys 
distribution services for which dynamic schemes 
using key distribution servers have been devel- 
oped. 

U.S. Patent No 5,148,479 discloses a method of 
mutually authenticating users on a commumcatlons 
session. A first user A transmits a challenge N1 to 
a second user B. In response to the first challenge, 
B generates a first response to the challenge N1 
and transmits it to A along with a second challenge 
N2. User A verifies that the first response to the 
challenge N1 is correct and then generates and 
transmits to B a second response to the second 
challenge N2. User B verifies that the second re- 
sponse is correct. User A and user B are supposed 
to share a secret which allows them to verify the 
correctness of the responses to their challenges. 
Ideally challenges should be different in every au- 
thentication instance, therefore it is suggested that 
challenges be selected randomly from a huge 
space; these challenges are called nonce chal- 
lenges. 

This kind of user authentication methods does 
not always provide sufficient protection against in- 
truders attacks, for instance when data lines cannot 
be physically secured from taps. More generally, 
intercept attacks where an intruder merely inter- 
cepts messages from a user A to a user B and 
forwards them on to their intended destination B 
cannot be defended against with user authentica- 
tion protocols; for instance, such theft and replay 
attacks can occur in wireless data communications 
systems using radio frequency or infrared transmis- 
sion. In such a case, measures are necessary to 
provide data security in addition to the methods 
allowing user A and user B to authenticate one 
another. The encryption of the data flow between A 
and B is obviously one of these measures. 
One of the best known secret-key cryptosystems Is 
the so called Data Encryption Standard (DES) 
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which has been standardized by ANSI; it is a block 
cipher system capable of encrypting one 64-bit 
block of data at a time, using a 64- bit key. With all 
block cipher systems such as DES using the same 
6 encryption key for large amounts of data increases 
the risk that a potential intruder might break the 
cryptographic code through statistical cryp- 
tanalysis. Therefore when such block cipher sys- 
tems are used it is necessary to modify dynam- 
ic? ically encryption keys to avoid that an intruder may 
break the cryptographic code. 
Dynamic key distribution schemes provide robust 
methods for key distribution and modification; a 
key server maintains one secret or public master 
;s key for every user or entity in its network, which 
enables it to distribute encryption keys for peer 
entities wanting to authenticate one another and 
communicate. 

Upon demand of a user A willing to communicate 
20 with a user B, the key server (KS) will securely 
inform A of the secret key which it may use to 
communicate with user B. Such methods require a 
significant number of data flows between A, B and 
KS. Most of these methods use long messages 
25 which make them unsuitable for low network layers. 
Some require synchronized clocks such as the so 
called Kerberos authentication service; it is based 
on the so called Needham Schroeder protocol and 
uses time tamps depending on reliable synchro- 
30 nized clocks to guarantee the freshness of mes- 
sages. 

European patent application No 0254812 describes 
a method for key distribution using a key distribu- 
tion center (KDC), where in advance the remote 
35 device has installed in it only the public key of the 
KDC. The method of this invention still requires 
that at least two data flows be exchanged to distrib- 
ute a fresh encryption key. 

The complexity and performance degradation asso- 
40 elated with prior art key distribution methods is not 
adequate for low cost communications systems 
such as wireless local area networks which are on 
one hand very vulnerable to eavesdroppers and 
intruders and on the other hand have to meet very 
45 stringent cost and performance requirements. 

Summary of the Invention 

It is therefore an object of the present invention to 
so provide a simple, while safe and reliable, method 
for dynamically transmitting and validating an en- 
cryption key without requiring use of either a clock, 
a key server or non-volatile counters. 
It is also an object of the present invention to 
ss provide such a method for dynamically transmitting 
and validating the value of any variable between 
two users of a communications network. 
Prior to describing the invention in details, it is 
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convenient to present one of its aspects. The sub- 
ject invention assumes that a communications ses- 
sion m a network has been established between 
two users A and B and that A and B share a 
common secret key S; Es(l) represents the result 
of the encryption of information I using the DES 
encryption under the secret key S and Ds(l) repre- 
sents the result of the corresponding decryption 
function so that Ds( Es(l) ) = I. The communication 
session between A and B has been opened and is 
identified by means of a unique session identifier 
which is used as a session freshness proof. As a 
particular example, the authentication method de- 
scribed In U.S. Patent 5,148,479 based on the 
shared secret S can be used to open the commu- 
nication session between A and B in which case 
either of the nonce challenges N1 and N2 used in 
said method may be used as the unique session 
identifier. In this particular example N2 will be used 
as the session freshness proof. 

Let us call K a first value of a variable shared 
by A and B and K* the next value of said variable. 
Both parties to the connection, A and B, control an 
exchange counter, respectively c1 and c2 t which is 
incremented each time a new value of said variable 
is transmitted by A and validated by B, or recipro- 
cally, each time a new value of said variable is 
transmitted by B and validated by A. In normal 
operating conditions d and c2 should have the 
same value. 

Either party to the connection A or B may 
decide to transmit a new value K 1 of said variable; 
it is assumed that this operation is initiated by A. 
For that purpose A generates a new value of said 
variable K\ prepares an exchange certificate M 
comprising three fields of information Ml, M2. M3 
and sends it to B; the first field M1 of the exchange 
certificate is the new value K' encrypted under the 
secret key S, 

M1 = Es(K'); 

the second field M2 binds cryptographically the 
new value K* to the session identifier N2 and to the 
exchange counter c1 f in the following expression, 45 

M2 a Es( N2 e Es( K' © cl) ), 

where © stands for an exclusive bit by bit OR 
operation; 60 
the third field M3 is the clear text value of the 
exchange counter d, 

M3 = cl. 

65 

Upon receipt of this exchange certificate, B per- 
forms a synchronization test by comparing the 
clear text value of the exchange counter cl pro- 



vided in the exchange certificate with Its own 
knowledge of the exchange counter c2. If the syn- 
chronization test is successful, B uses its secret 
key S to decrypt Ml and obtain the new value K\ 



Ml = f(S,K\ ... ) 

M2« g( S, K\ N2, d, ... ) 

wherein f( ) and g( ) are functions such that, 
f( S, K\ ... ) o ml cannot be solved for K 
without 

knowledge of S, ml being a given value of 
field M1 and. 

g( S, K\ N2, cl, ... ) ■ m2 cannot be solved 
for K* without 

knowledge of S, m2 being a given value of 
field M2; 

and wherein, 

d is an exchange counter controlled by A 
and representative of the number of values of 
said variable exchanged between user A and 
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K' = Ds( M1 ) 

Based on its knowledge of the secret key S, 
the session freshness proof N2 and K\ B validates 
10 K' by checking that the following equation is veri- 
fied: 

Es( N2 a Es( K' © c2 ) ) « M2 

75 B validates the new value K % of said variable as 

the new instance of K if both the synchronization 
and the validation tests are successful. 

Upon failure of said validation test, said com- 
munication session between A and B is interrupted 
20 because it cannot be trusted anymore, and a new 
communication session identified by a new unique 
session freshness proof is opened. The method of 
the invention is then used at the initiative of either 
A or B to transmit again a new value of the vari- 
25 able. 

This aspect of the invention is merely illustrative of 
the principles of the Invention which can be sum- 
marized as: 

A method for transmitting a value K* of a 
30 variable, between a first user A of a communica- 
tions system and a second user B, and for validat- 
ing said value K\ said users sharing a common 
secret key S and having established a first commu- 
nication session identified by a first unique session 
35 freshness proof N2 known to both user A and user 
B, said method being characterized in that it com- 
prises the steps of: 

1. transmitting from A to B said value K' by 
means of an exchange certificate M comprising 
40 at least two fields M1 and M2 of the minimum 
form: 
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user B during said first communication session. 

2. processing by B of said exchange certificate 
M comprising the steps of: 

• deriving from said exchange certificate M 
said value K 1 as a result of solving for K' s 
equation: 

f( S, K\ ... ) = M1; and 

...... .m validating said value KVas a result of the io 

verification of a set of validation conditions 
comprising at least an equation of the 
minimum form: 

g( S, K\ N2, c2, ... ) = M2 wherein, 75 

c2 is an exchange counter controlled by B 
and representative of the number of values 
of said variable exchanged between user 
A and user B during said first communica- 20 
tlon session. 

3. interrupting at the initiative of either A or B 
said first communication session between A and 
B and opening a second communication session 
identified by a second unique session freshness 25 
proof upon occurrence of anyone of a set of 
session reset conditions, said set of reset con- 
ditions comprising: 

• failure of at least one of said validation 
conditions; and 30 

• the event that either of exchange counters 
c1 and c2 reaches its maximum value. 

Brief description of the figures 

35 

The foregoing and other objects, aspects and 
advantages will be better understood from the fol- 
lowing detailed description of a preferred embodi- 
ment of the invention with reference to the drawing, 
in which: -40 
Figure 1 is a pictorial diagram showing an In- 
door radio or infrared digital data communication 
system of the type in which the invention is 
implemented; 

Figure 1A is a block diagram of the system 4s 
shown in figure 1 illustrating the basic compo- 
nents of a mobile station and a base station; 
Figure 2 is a block diagram of the radio system 
used in the implementation of a preferred em- 
bodiment of the invention; 50 
Figure 3 is a representation of the data flow 
exchanged between the base station and the 
mobile station. 

Figure 4 Is a flow chart representing the oper- 
ations performed by the base station 55 
Figure 5 Is a flow chart representing the oper- 
ations performed by the mobile station. 



Figure 6 is a flow chart representing the detail of 
the encryption key validation step performed by 
the base station. 

Figure 7 is a flow chart representing the detail of 
the encryption key validation step performed by 
the mobile station. 

Description of the Invention 

Referring now to the drawing , and more par- 
ticularly to Figure 1 . there is shown an indoor radio 
or infrared system allowing communication be- 
tween a plurality of mobile stations 10, 12, 14 and 
16 and applications and data residing in a comput- 
ing system. The computing system typically in- 
cludes a server 18, with attached monitor 20 and 
keyboard 22, of a local area network (LAN), gen- 
erally indicated by reference numeral 24, having a 
plurality of attached workstations or personal com- 
puters (not shown for simplicity). Also attached to 
the LAN are one or more base stations 26 and 28 
with which the mobile stations 10, 12, 14 and 16 
communicate, using a common radio or infrared 
channel. The invention is aimed at improving the ^ 
security of information exchange between the base 
stations and the mobile stations they are commu- 
nicating with. Although the remainder of this de- 
scription assumes that the commumcation channel 
used in this particular embodiment of the invention 
is a radio frequency channel, the man skilled In the 
art will easily understand that any other commu- 
nication channel, including an infrared channel, can - 
be used. 

As shown in more detail in Figure 1A, a base 
station 26 or 28, which may be a conventional 
microcomputer, has a LAN adapter 30 inserted in a 
bus slot and connected to LAN cabling 32. The 
server 18, typically also a conventional microcom- 
puter and including one or more direct access 
storage devices (DASDs) such as hard disks (not 
shown), also has a LAN adapter 34 inserted in a 
bus slot and connected to LAN cabling 32. The 
LAN adapters 30 and 34 and the LAN cabling 32 
together with LAN software constitute the LAN 24. 
The LAN 24 is of conventional design and does not 
form part of the invention. The base station 26 or 
28 also has an RF transceiver adapter 36 imple- 
mented as a printed circuit card which is inserted 
in a bus slot of the base station. The transceiver 
adapter 36 includes a spread spectrum transceiver 
of conventional design. The transceiver adapter 36 
has an antenna 38 by which a radio link 40 is 
established with one or more remote or mobile 
stations 10, 12, 14 or 16. The mobile station may 
itself be a hand held or lap top computer of con- 
ventional design, and, like the base station, it is 
provided with an antenna 42 and a transceiver 
adapter 44, also implemented as a printed circuit 
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card which is inserted in a bus slot of the com- 
puter. The transceiver adapter 44, like transceiver 
adapter 36, includes a spread spectrum transceiver 
of similar design. The base station and the mobile 
stations are further provided with software, gen- 
erally indicated by reference numerals 46 and 48, 
respectively, which support their respective tran- 
sceiver adapters. 

One form of indoor data radio uses a transmis- 
sion technique known as "spread spectrum", au- 
thorized by the U.S. Federal Communications 
Commission (FCC) in its regulations, part 15.247, 
for use in certain frequency bands without user 
license. Spread spectrum communications offer 
several advantages including low density power 
spectra and interference rejection. There are sev- 
eral types of spread spectrum systems including 
direct sequence digital systems, frequency hopping 
systems, time hopping systems, pulsed frequency 
modulated (or chirp) systems, and various hybrids. 
Of these, the direct sequence digital systems and 
the frequency hopping systems are perhaps the 
more widely implemented. In a direct sequence 
digital system, a fast pseudo-random code gener- 
ator is used to modulate slower digital data which, 
in turn, modulates a carrier. In a frequency hopping 
system, a coherent local oscillator is made to jump 
from one frequency to another under the influence 
of a pseudo-random code generator. 

The subject invention may be implemented 
using either direct sequence digital or frequency 
hopping types of spread spectrum communications 
systems. A description of these and other types of 
spread spectrum communications systems may be 
found, for example, in Spread Spectrum Systems, 
2nd Ed. f by Robert C. Dixon, John Wiley & Sons 
(1984), and Spread Spectrum Communications, 
Vol. II, by M.K. Simon et al., Computer Science 
Press (1985). 

US. Patent 5,123,029 describes a protocol 
which could be used for digital data radio commu- 
nication in this embodiment of the present inven- 
tion. 

Figure 2 shows the radio system common to 
both the mobile stations and the base stations of 
figure 1. The radio system includes a transceiver 
adapter 36 or 44 connected to a computer 50 via 
the computer's bus interface 52. The transceiver 
section is itself divided into an RF transceiver 54 or 
55, which may be a commercially available spread 
spectrum transceiver, and a dedicated micropro- 
cessor system 56 or 57 which controls the tran- 
sceiver via an interface 58 or 59. The microproces- 
sor system 56 or 57 further includes a system 
interface 60 or 61 which Interfaces the transceiver 
section to the computer section 50. The micropro- 
cessor system includes a dedicated microproces- 
sor 62 or 63 containing high- resolution time inter- 



val determination hardware or "timers" typical of 
real-time microprocessor systems, and a security 
device 80 or 81, providing data encryption func- 
tions. 

5 Microprocessor 62 or 63 and security device 

80 or 81 are connected by a memory bus 64 or 65 
to program storage 66 or 67 and data storage 68 or 
69 as well as to interfaces 58 or 59 and 60 or 61 
providing attachment to RF transceiver 54 or 55 

io and bus interface^ 52, respectively. Program stor- 
age 66 or 67 is typically read only memory (ROM), 
while data storage 68 or 69 is static or dynamic 
random access memory (SRAM or DRAM). Secu- 
rity device 80 or 81 is a commercially available 

75 integrated circuit (AM9568LC) available from Ad- 
vanced Micro Devices. 

The computer 50 runs an operating system 70 
which supports one or more user application pro- 
grams 72. The operating system 70 may include a 

20 communications manager 74, or the communica- 
tions manager 74 may itself be an application pro- 
gram installed on the computer. In either case, the 
communications manager 74 controls a device 
driver 76 via the operating system 70. The device 

25 driver 76, in turn, communicates with the tran- 
sceiver adapter 36 or 44 via bus interface 52. 

When a data unit, designated as a "packet", is 
received from the device driver 76 by the micro- 
processor system 56 or 57, it is encrypted by the 

30 security device 80 or 81, prior to be stored in data 
storage 68 or 69 and communicated to the RF 
transceiver 54 or 55 via interface 58 or 59 under 
control of serial channels and a direct memory 
access (DMA) controller (not shown) which is part 

35 of the microprocessor 62 or 63. The function of 
these serial channels is to encapsulate data and 
control information in an HDLC (high-level data link 
control) packet structure and provide the packet in 
serial form to the RF transceiver 54 or 55, For 

40 more information on the HDLC packet structure, 
see, for example, Mischa Schwartz, Telecommuni- 
cation Networks: Protocols, Modeling and Analysis, 
Addison-Wesley (1988). 

When a packet is received through the RF 

45 transceiver 54 or 55, the serial channels check the 
packet destination address, check for errors, and 
deserialize the packet to data storage 68 or 69. 
The packet is decrypted by the security device 80 
or 81 prior to be communicated to the device 

so driver 76 via bus interface 52. The serial channels 
must have the capability to recognize a specific 
adaptor address as well as a broadcast address. 
Specific microprocessors with appropriate serial 
channel and timer facilities include the Motorola 68 

55 or 69302 and the National Semiconductor 
HPC46500E microprocessors. 

The security device 80 or 81 performs both 
data encryption and data decryption function. For 
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that purpose, it uses a secret encryption key K. 
The security device 80 of transceiver adapter 36 
and the security device 81 of transceiver adapter 
44, must use the same encryption key K so that a 
packet encrypted by security device 80 using key 
K can be decrypted by security device 81 using 
the same key K. 

Using the same key for large amounts of data, 
increases the risk that a potential intruder might 
break this key through statistical analysis of ob- 
served encrypted data flow. Therefore it is neces- 
sary to dynamically modify in a coordinated man- 
ner the value of the encryption key K shared by the 
security devices 80 and 81 . with a fresh encryption 
key K* by using the method of the present inven- 
tion. 

Figure 3 shows the data flow used by a base 
station 26 to communicate a new encryption key K' 
to a mobile station 10 it is communicating with. 

The base station 26 and the mobile station 10 
share a common secret key S. This secret is 
stored in the base station and the mobile station at 
the time of installation of the indoor radio system, it 
is kept in a permanent memory so that it does not 
have to be loaded again each time the base station 
26 or the mobile station 10 is powered off. 

The secret key S is used by security device 80 
or 81 to perform a function Es( ) which represents 
encryption with the secret key S; it can be for 
instance the Data Encryption Standard (DES) stan- 
dardized by ANSI. The corresponding decryption 
function is denoted Ds( ). Both functions Es( ) and 
Ds{ ) can be performed by the security devices 80 
and 81 of the base station and the mobile station 
respectively. Prior to transferring data, the base 
station 26 and the mobile station 10 complete an 
authentication procedure using the shared secret 
key S to initiate a communication session. An ex- 
ample of a family of suitable authentication proce- 
dures will be found in U.S. patent 5,148,479, "Au- 
thentication Protocols In Communication Net- 
works", from the same applicant, which Is herein 
incorporated by reference; in this embodiment of 
the present invention, Es is used as both the f and 
g functions referred to in said Authentication Pro- 
tocols. As a result of said authentication procedure 
the base station and the mobile station both have 
knowledge of N2 which is a unique random number 
used by the Authentication Protocols described in 
the above mentioned US Patent; N2 is used as a 
freshness proof of the communication session tak- 
ing place between the base station and the mobile 
station; c1 and c2 are exchange counters con- 
trolled by the base station and the mobile station 
respectively, they are Incremented each time a 
new instance of the encryption key K' is transmit- 
ted and validated. The exchange certificate M sent 
by the base station to the mobile station in Mes- 



sage (1) comprises three fields M1, M2 and M3 
defined as follows. 

M1 = Es(K f ) 
s M2 = Es(N2©Es(K' ec1)) 
M3 = d 

Where © stands for an exclusive bit by bit 
logical OR operation. 

io In response to this first message the mobile station 
sends a second message, Message (2) to accept 
or reject the new encryption key K* depending on 
the result of validity tests performed by B using the 
three fields M1 , M2 and M3 of the exchange certif- 

is icate. 

Illustrative flowcharts of the encryption key 
transmission and validation method are shown in 
figures 4 through 7. These particular flow chart 
examples are based on the data flow shown in 

20 figure 3. 

The flow chart presented in figure 4 is ex- 
ecuted by the base station transceiver adapter 36 
of figure 1A, attempting to communicate with the. 
mobile station transceiver adapter 44 of a mobile? 

25 station of figure 1A. The process begins by an 
opening process performed in function block 400 
comprising various initialization procedures and 
particularly a frequency synchronization procedure 
to establish a physical communication channel be* 

30 tween the base station and the mobile station. 
Next, exchange counter c1 is reset to 0 and an 
authentication procedure is performed in function 
block 410 between the base station transceiver and 
the mobile station transceiver to open a commu- 

35 nication session. As mentioned herein above a 
family of suitable authentication procedures will be 
found in U.S. patent 5.148,479. "Authentication 
Protocols in Communication Networks" from the 
same applicant. Following this step both stations 

40 have knowledge of a common session freshness 
proof N2, and an encryption key validation step is 
performed in function block 420, further described 
in figure 6 and 7. After validation of the encryption 
key data transfer starts; periodically an encryption 

46 key update condition is tested in decision block 
430. The key update condition can be for instance 
triggered based on data representative of the 
amount of information transmitted with a given en- 
cryption key K or data representative of the life 

so duration of K or a combination of these two criteria. 
If this condition is met the process loops back to 
function block 420, otherwise data transfer goes on 
using the current encryption key K. 

Figure 5 shows the sequence of operations 

55 executed by the mobile station transceiver adapter 
44. Function blocks 600, 510 and 520 are per- 
formed in conjunction with the corresponding func- 
tion blocks of figure 4, respectively 400, 410 and 
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420. Function block 500 comprises the counterpart 
procedure of the initialization procedure of function 
block 400 and particularly a frequency synchro- 
nization procedure matching the one used in func- 
tion block 400. Function block 510 is the coun- 
terpart of function block 410 as described in U.S. 
Patent 5,148,479. Function block 520 performs the 
validation of the new encryption key K' and is 
further described in figure 7. 

Figure 6 shows the details of function block 
420. A new encryption key K' is generated in 
function block 610 and the three fields Ml, M2 and 
M3 of the exchange certificate are built and sent to 
the mobile station. In decision block 600 a test is 
made on the message sent back by the mobile 
station in response to the exchange certificate. If 
the new encryption key is accepted by the mobile 
station, the exchange counter cl is incremented. In 
case d is in overflow a return is made to figure 4 
as indicated by the A connector to start again an 
authentication procedure, otherwise a return is 
made to figure 4 as indicated by the B connector 
to start data transfer, if the new encryption key is 
not accepted a return is made to figure 4 as 
indicated by the A connector to open a new com- 
munication session. 

Figure 7 shows the details of function block 
520, upon reception of the exchange certificate, the 
third field of the exchange certificate M3 is com- 
pared with c2 to check that exchange counters c1 
and c2 are synchronized. If M3 does not equal c2 
the new key K' is rejected by means of a message 
which is sent back to the base station, a return is 
then made to figure 5 as shown by connector C to 
open a new communication session. Function block 
700 performs the decryption of the first field M1 of 
the exchange certificate under the secret S, the 
result of this operation K' is used to perform a 
validation test by evaluating the expression: 

Es( N2 e Es( K' e c2) ) 

and comparing it with the second field M2 of the 
exchange certificate as shown in decision block 
710. If they are equal, the validation test is positive; 
c2 is Incremented; in case of c2 counter overflow 
the new key K* is rejected by means of a message 
which is sent back to the base station, and a return 
is then made to figure 5 as shown by connector C 
to open a new communication session; otherwise a 
message Is sent to the base station to accept the 
new key K and a return is made to figure 5 as 
indicated by connection D to start data transfer. If 
the validation test is negative, the new key K' is 
rejected by means of a message which is sent 
back to the base station, a return is then made to 
figure 5 as shown by connector C to open a new 
communication session, identified by a new unique 
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session freshness proof. 

One particular aspect of this method is that the 
second field M2 of the exchange certificate binds 
cryptographically the values of N2, K' and c1 in the 
expression, 

M2 = Es (N2 ® Es (K' © d )). 

The man skilled in the art can easily derive from 
this particular expression a more general one of the 
form, 

M2 = Es ( r op Es(s op* t) ) wherein, 

* r, s, t are functions of the minimum form: 

r » r(N2, ...) 
s - s(K\ ...) 
t = t(d. ...) 

• op an op* are mathematical or Boolean oper- 
ations. 

Similarly fields M1 and M3 can be generalized and 
take the following minimum form: 

Ml * Es( q ) 
M3 = h(d, ... ) 

wherein q is of the minimum form, 

C| = q( K\ ... ) 

The embodiment of the present invention de- 
scribed herein above needs to be slightly modified 
when the encryption key K is too long to be en- 
crypted in a single pass of the security . device 80 
or 81. In this alternate embodiment cipher block 
chaining (CBC) techniques are used to compute 
the first field M1 of the exchange certificate. For 
instance, assuming that the encryption key is 24 
bytes long and that the security device can handle 
only 8 bytes at a time, M1 would consist in the 
concatenation in a CBC string of the following three 
CBC blocks: 

CBC1 ■ Es(n f ) . 

CBC2= Es (m* e Es (n 1 )) . 

CBC3= Es (I' © Es (nV © Es (n'» ) , 

wherein V represents the first 8 bytes of K\ m' 
represents the following 8 bytes and n' represents 
the last eight bytes of K\ 

This alternate embodiment of the invention 
uses, a different expression to build M2 thus reduc- 
ing the amount of calculations to be performed. As 
a matter of fact, M2 can be simplified, without 
departing from the scope of the present invention, 
by using the following expression: 
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M2 = Es (N2 © Es (CBC3 e d) ) . 

This reduces the computations to be performed to 
obtain M2, since CBC3 can be directly obtained 
from the computation of M1, while maintaining a 
high level of security since CBC3 cryptographically 
binds in a condensed form information representa- 
tive of K\ 

Consequently, the form taken by the exchange 
certificate M in this alternate embodiment would 
comprise the three following fields M1, M2, M3 
wherein, 

M1 comprises CBC1, CBC2, CBC3. 
and wherein, 

CBC1 = Es (n*) 

CBC2 = Es (nV © CBC1) 

CBC3 = Es (l f © CBC2) 

M2 = Es (N2 © Es (CBC3 © C1) ) , 

and 

M3 = d 

More generally CBC3 can be described as the last 
element of the CBC string used to transmit K\ 
While the preferred embodiments described herein 
above deal with encryption key transmission, the 
man skilled in the art can easily extend the scope 
of the present invention to the transmission and 
validation of a value of any variable transmitted 
between two users of a communications system. 
Besides that, the above described arrangements 
are merely illustrative of the application of princi- 
ples of the invention in which it is assumed that a 
first user A of a communications system transmits 
to a second user B a value K* of a variable, said 
users sharing a common secret key S and having 
established a first communication session identified 
by a unique session freshness proof N2 known to 
both user A and user B. Other arrangements may 
be devised by using exchange certificate structures 
comprising at least two fields M1 and M2 of the 
minimum form: 



knowledge of S. 
and wherein, 

c1 is an exchange counter controlled by A and 
representative of the number of values of said 

5 variable exchanged between user A and user B 

during said first communication session. 
Consequently, an eavesdropper intercepting this 
exchange certificate cannot get knowledge of the 
value K* since he does not know the secret key S. 

io In addition, the present invention allows to protect 
this exchange certificate against replay attacks. 
This is achieved by insuring that a given instance 
of couple (N2, d ) is never used twice; in the event 
that either of exchange counters c1 and c2 reaches 

is its maximum value, said first communication ses- 
sion between A and B is interrupted and a second 
communication session, identified by a new and 
unique session freshness proof, is opened thus 
avoiding that the prior session freshness proof N2 

20 keep being used when said counter is reset to its 
initial value. 

Using its knowledge of S, user B derives from said 
exchange certificate M, said value K' as a result of 
solving for K* equation, 

25 

f( S, K\ ... ) = Ml; 

It then validates said value K* as a result of the 
verification of a set of validation conditions com- 
30 prising at least an equation of the minimum form, 

g( S, K*, N2, c2, ... ) = M2 wherein, 

c2 is an exchange counter controlled by B and 
35 representative of the number of values of said 
variable exchanged between user A and user B 
during said first communication session. 
The form selected for this validation condition al- 
lows, in a single operation, to verify that the values 
40 of S, K\ N2, c2 used by B correspond to the ones 
used by A to compute M. 

Optionally the exchange certificate M may com- 
prise a third field M3 of the minimum form: 

45 M3= h(d, ... ) 



M1 = f(S,K\ ... ) , 

M2= g( S, K\ N2, d, ... ) , 

wherein f and g are injective functions such 

that: 

given a value ml of field M1, 

f( S, K*. ... ) = ml cannot be solved for K' 
without 

knowledge of S; and 

given a value m2 of field M2, 

g(S. K\ N2, d, ... ) = m2 cannot be solved for 
K' without 



wherein h( ) is an injective function. 
Field M3 allows B to test a second validation 
condition by checking that exchange counters con- 
so trolled by A and B, respectively d and c2, carry 
the same value. This is done by testing equation, 

h( c2 , ... ) « M3. 

55 If anyone among said set of validation conditions 
fails, said first communication session cannot be 
trusted anymore, B interrupts said first communica- 
tion session and a second communication session 
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identified by a second unique session freshness 
proof is opened after A and B mutually authenticate 
one another; the method suggested for mutual au- 
thentication In this description of the invention is 
the one described in U.S. Patent No 5,148,479 but 
other methods could be used. 

Claims 

1. A method for transmitting a value K* of a 
variable, between a first user A of a commu- 
nications system and a second user B, and for 
validating said value K\ said users sharing a 
common secret key S and having established 
a first communication session identified by a 
first unique session freshness proof N2 known 
to both user A and user B, said method being 
characterized in that it comprises the steps of: 
a. transmitting from A to B said value K' by 
means of an exchange certificate compris- 
ing at least two fields M1 and M2 of the 
minimum form: 



M1 = f( S, K\ ... ) 
M2= g( S. K\ N2, d, 



) 



wherein f( ) and g( ) are functions such 
that, 

f( S, K', ... ) = ml cannot be solved for 
K* without 

knowledge of S, ml being a given value 
of field M1 and, 

g( S, K\ N2 t c1 T ... ) - m2 cannot be 
solved for K' without 

knowledge of S, m2 being a given value 
of field M2; 

and wherein, 

cl is an exchange counter controlled by 
A and representative of the number of val- 
ues of said variable exchanged between 
user A and user B during said first commu- 
nication session. 

b. processing by B of said exchange certif- 
icate M comprising the steps of: 

# deriving from said exchange certif- 
icate M said value K' as a result of 
solving for K 1 equation: 

f( S, K\ ... ) m Ml; and 

• validating said value K* as a result of 
the verification of a set of validation 
conditions comprising at least an 
equation of the minimum form: 

g( S, K\ N2, c2, ... ) = M2 wherein, 

c2 is an exchange counter con- 
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trolled by B and representative of the 
number of values of said variable ex- 
changed between user A and user B 
during said first communication ses- 
sion. 

c. interrupting at the initiative of either A or 
B said first communication session between 
A and B and opening a second communica- 
tion session identified by a second unique 
session freshness proof upon occurrence of 
anyone of a set of session reset conditions, 
said set of reset conditions comprising fail- 
ure of at least one of said validation con- 
ditions. 

2. The method of claim 1 wherein said set of 
session reset conditions further comprises the 
event that either of exchange counters c1 and 
c2 reaches its maximum value. 

3. The method of claims 1 and 2 wherein, 

f( S. K\ ... ) = Es( q ) 

g( S, K\ N2, cl, ... ) « Es( r op Es(s op 1 1) ) 

wherein 

• Es( ) is a data encryption function using 
S as the encryption key; 

• op and op* are mathematical or Boolean 
operations; and 

• q, r, s, t are functions of the minimum 
form 

q = q(K\ ...) 
r = r(N2, ...) 
s = s(K\ ...) 

t = t(d....) 

4. The method of claim 3 wherein op and op f 
represent exclusive bit by bit OR Boolean op- 
eration 

5. The method of claims 3 and 4 wherein func- 
tions q, r, s and t are: 

q(K\ ...)= K' 
r(N2, ...)= N2 
s(K\ ..,) = K' 
t(c1 , ...) = d 

6. The method according to any of claims 1 to 5 
wherein said exchange certificate further com- 
prises a third field M3 of the minimum form 

M3 = h{d, ... )- 

7. The method of claim 6 wherein said set of 
validation conditions further comprises verify- 
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ing that 

h(c2, ... ) = M3. 

8. The method of claim 7 wherein function h is h( 5 

c ,...) = c. 

9. A communications system including means for 
carrying out the method of claim 1 . 

w 

10. The system of claim 9 wherein said commu- 
nications system uses a radio frequency or an 
infrared communication channel. 
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